(view this code in a separate window)
#!/bin/sh # # egress_filtering_ipchains.sh # # Sample Ingress/Egress filters with ipchains # on a machine that also acts as a forwarding # (not IP masquerading) gateway. # # Change IP networks, salt to taste. # # Copyright 2002, Bri Hatch # # Released under the GPL. See COPYING file # for more information. # Internal network is assumed to be eth0 internal_net=192.168.5.0/24 # External network is assumed to be eth1 my_ip_addr=192.168.4.2/32 # Egress Filters: Allow only our internal IPs and # external interface addrs out of eth1 /sbin/ipchains -A output -i eth1 -s $my_ip_addr -j ACCEPT /sbin/ipchains -A output -i eth1 -s $internal_net -j ACCEPT # Ingress Filters: Allow only our internal IPs and # external interface addrs in from eth1 /sbin/ipchains -A input -i eth1 -d $my_ip_addr -j ACCEPT /sbin/ipchains -A input -i eth1 -d $internal_net -j ACCEPT # Egress/Ingress Filters on eth0: # Allow only traffic to/from the internal net through eth0 /sbin/ipchains -A output -i eth0 -d $internal_net -j ACCEPT /sbin/ipchains -A input -i eth0 -s $internal_net -j ACCEPT # Block clearly-spoofed packets # Deny any restricted ip networks from traversing Carbon at all for badnet in 127.0.0.1/32 10.0.0.0/8 172.16.0.0/12 \ 192.168.0.0/16 224.0.0.0/4 240.0.0.0/5 do /sbin/ipchains -A input -i eth0 -s $badnet -j DENY /sbin/ipchains -A output -i eth0 -s $badnet -j DENY /sbin/ipchains -A input -i eth1 -s $badnet -j DENY /sbin/ipchains -A output -i eth1 -s $badnet -j DENY done